Sony breach turns bank's focus to users

When New Jersey's Provident Bank was founded in 1839, Martin Van Buren was president. The First Opium War was getting going in China. And, in Boston, the American Statistical Association was just being founded.

Provident is the 11th oldest bank in the United States. It survived the Civil War, the Great Depression, the savings and loan crisis, the dot-com bust, and this century's global financial meltdown.

Last year, the bank celebrated its 175th anniversary, otherwise known as its dodransbicentennial.

Last year was also an opportunity for the bank to watch as one great institution after another suffered massive attacks from cybercriminals.

"Seeing these large companies fall victim to data breaches reinforced how much energy we wanted to spend on protection," said Nathan Horn-Mitchem, the bank's vice president and information security officer.

Nathan Horn-Mitchem, the bank's vice president and information security officer

And banks in particular have a much higher burden of responsibility than retail companies, he added. And not just because the stakes are higher.

"When Target or Home Depot gets breached, customers get mad and stop shopping there for a while," he said. "If you're a Target person, you might go to Walmart for a while."

But giving up your favorite store requires sacrifice. There's usually a reason why people prefer one retailer over another, and those preferences are hard to change.

"So, eventually, you go back," he said.

That's not the case for banks.

"We have one shot at this," he said. "We have one shot to keep customer information safe."

The bank decided to focus on the fundamentals, with a three-part strategy to educate new hires about security, train existing employees to be vigilant about phishing attacks, and increase the awareness of data security for everyone at the bank.

On-boarding

In the past, onboarding new hires involved a quick introduction to information security.

After the latest high-profile breaches, that changed. Now, new employees get more than an hour of training about security.

But the training doesn't focus on the bank's data.

"We spend the majority of the time helping them understand how to protect their own name, their own social -- everything they need to protect their own personal life," he said.

"I've had employees call me and inquire about a process the bank follows or suggest an improvement because they have moved into that security mindset," said Horn-Mitchem.

Phishing

Almost all the recent high-profile breaches have come down to some employee making a mistake, breaking a security policy. It's often a very simple mistake, such as sharing a password or opening an attachment.

"We can deploy sophisticated technologies, but at the end of the day it comes down to the users," Horn-Mitchem said.

In particular, phishing has often played a key role, including in the Sony breach. According to the 2014 Verizon breach report, phishing was a factor in 67 percent of all cyber-espionage breaches, and was the third most-common attack vector in all types of breaches.

Provident stepped up its phishing training campaigns immediately after the Sony breach, and plans to increase the pace even more in 2015.

To get the most impact, the bank sends fake phishing emails to a small number of employees at a time.

"If you send 1,500 people the same email, then as soon as one or two people figure it out, they spread the word," said Horn-Mitchem.

Over time, employees have been getting better at spotting the malicious emails, he said. Not only are the click rates going down, but more employees are reporting the emails to their department.

Data security

The bank already had a data classification policy in place, where a select group of people -- the owners of the information -- decided how sensitive the data was.

But many employees were handling the data, and not all of them were paying attention to how they were securing it.

"Email, to many people, is a routing activity," Horn-Mitchem said. "It's very easy to send out information of particular value to the bank, and not have any thought about whether they properly secured it."

When this happened, the emails would get bounced to the security staff for manual handling.

"We wanted to have our users understand the value of the data they're using on a daily basis and its importance," he said.

What the bank did was institute a new classification policy -- each time employees sent information out beyond the bank walls, they had to take a moment and decide whether the information was confidential, sensitive, or public.

Depending on the classification, the communications that needed it would then be automatically encrypted, using either a TLS handshake with trusted partners, or a secure mailer for unfamiliar destinations.

The new policy applied to all bank staff, from the senior management down to the individual tellers, about 1,000 users total.

"It's not that big a speed bump that it slows users down, but it is a speed bump, and makes them think," he said.

From the very beginning, accuracy was close to 100 percent, with information classified either at the appropriate level or higher.

"Even in the first week, we saw very few mistakes made," he said. "Within two weeks, everyone at the bank was very comfortable with the system."

Plus, the increased awareness about data security translated to other areas as well, such as paper documents.

Another benefit is that instead of spending six hours a week reviewing emails to ensure that they were appropriately encrypted, Horn-Mitchem's team now spends less than hour.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.